WO2008080352A1 - Procédé de chargement de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi) - Google Patents

Procédé de chargement de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi) Download PDF

Info

Publication number
WO2008080352A1
WO2008080352A1 PCT/CN2007/071371 CN2007071371W WO2008080352A1 WO 2008080352 A1 WO2008080352 A1 WO 2008080352A1 CN 2007071371 W CN2007071371 W CN 2007071371W WO 2008080352 A1 WO2008080352 A1 WO 2008080352A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile terminal
access point
authentication
certificate
wireless access
Prior art date
Application number
PCT/CN2007/071371
Other languages
English (en)
Chinese (zh)
Inventor
Benteng Ma
Jun Cao
Bianling Zhang
Xiaolong Lai
Xiangchen Ma
Original Assignee
China Mobile Group Design Institute Co., Ltd.
China Iwncomm Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Design Institute Co., Ltd., China Iwncomm Co., Ltd. filed Critical China Mobile Group Design Institute Co., Ltd.
Publication of WO2008080352A1 publication Critical patent/WO2008080352A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates to the field of network and wireless communication technologies, and more particularly to the field of wireless local area networks, and in particular to a method for WLAN operation based on wireless local area network authentication and privacy infrastructure WAPI. Background technique
  • WLAN Wireless Local Area Network
  • WLAN Wireless Local Area Network
  • the purpose of mobile operators to build wireless LANs is to use WLANs to combine existing mobile networks and functions to provide users with faster and wider mobile voice and data access services, as well as a complementary means of wired data access.
  • As an operational WLAN it no longer only provides users with simple network interconnection, but more importantly, implements carrier-class operations. Therefore, it is necessary to add a series of functions such as billing, network management, and authentication on the basis of the basic architecture. Access control method and billing method.
  • Wired LANs For wireless LANs, security is of paramount importance, and WLAN-related standards have been initially formed, including a new WLAN Authentication and Privacy Infrastructure (WAPI) security mechanism.
  • WAPI WLAN Authentication and Privacy Infrastructure
  • This security mechanism consists of wireless LANs. It is composed of two parts: WAI (WLAN Authentication Infrastructure) and WPA (WLAN Privacy Infrastructure).
  • WAPI provides certificate-based authentication and key negotiation methods. This method provides high security, ensures legitimate users access to legitimate networks, and protects data on wireless links.
  • the current authentication mechanism (such as Radius) only implements one-way authentication of the network to the user, and implements charging and other functions based on the authentication.
  • the authentication and charging mode is effective when the link is relatively secure, that is, in a wired environment. The next is more suitable.
  • wireless LAN links are not always secure due to their open features.
  • the present invention provides a method for authentication and charging of a wireless local area network, which is compatible with related authentication methods, and supports various authentication and charging methods currently used to implement certificate-based WAPI wireless local area network operation.
  • the invention provides a WAPI-based WLAN authentication method, including: issuing the same certificate for all mobile terminals, and installing the issued certificates on each mobile terminal;
  • the mobile terminal accesses the network
  • the mobile terminal is associated with the wireless access point to establish a link connection
  • the present invention provides a WAPI-based WLAN authentication and charging method, including: issuing the same certificate for all mobile terminals, and installing the issued certificates on each mobile terminal;
  • the mobile terminal accesses the network
  • the mobile terminal is associated with the wireless access point to establish a link connection
  • the mobile terminal and the wireless access point Separating the certificate of the mobile terminal and the certificate of the associated wireless access point respectively; when the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless connection Invoicing a multicast key to the mobile terminal to allow the mobile terminal to access;
  • the account information of the mobile terminal is authenticated
  • the mobile terminal authentication information is given based on the result of the account information authentication, so that the mobile terminal can access the network.
  • the same certificate is issued for all the mobile terminals, and different certificates are issued for each wireless access point, and the link-level authentication and the user-level identity are separated into two independent processes, the chain.
  • Road-level authentication is used to protect the security of wireless link access.
  • User-level identity authentication is used for management services such as authorization and accounting, so that the wireless local area network can be used as an extension of the original operating network, and the operation management and original operation of the wireless local area network are enabled.
  • the network is consistent.
  • the invention can implement two-way identity authentication between the user and the network in the link-level authentication process, and is compatible with the original authorization and accounting management systems, and supports related standards.
  • the invention adopts a certificate mechanism based on a public key cryptosystem in the link-level authentication process, and truly realizes two-way authentication between a mobile terminal (MT, Mobile Terminal) and a wireless access point (AP, Access Point), which fully satisfies The operator's requirements for secure access ensure the security of the wireless link.
  • the network further authenticates the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and according to the authentication. The result is controlled by accessing the network and billing the user access network, effectively protecting the information of the subsequent user account authentication phase, and thus the security is high.
  • the wireless access point After the wireless access point is set up with a certificate, it is no longer necessary to set up the AAA server in the background. It is easy to install and network, and can be used for operations in large-scale hotspots. At the same time, users only need to install a certificate to cover the WLAN. Roaming in different areas, convenient for users.
  • the invention uses the same terminal certificate on the basis of ensuring secure access, so that operation and maintenance operations and processes are simplified, and the cost is greatly reduced.
  • the mobile terminal (MT) in this specification is a terminal in which a wireless network adapter is installed.
  • a wireless access point is a device that provides network access services for mobile terminals.
  • the server is a network entity that provides identity authentication services and certificate management functions.
  • the authentication step where the link level authentication steps are as follows:
  • the server issues the same certificate for all mobile terminals, and issues a certificate for each wireless access point, wherein different wireless access points issue different certificates, and the mobile terminal and the wireless access point install the certificate issued by the server;
  • the mobile terminal When the mobile terminal needs to access the network, the mobile terminal first associates with the wireless access point to establish a link connection;
  • the wireless access point sends the authentication activation frame to the mobile terminal, and starts the authentication process
  • the mobile terminal sends an access authentication request to the wireless access point, where the certificate of the mobile terminal is included;
  • the wireless access point sends a certificate authentication request to the server, which includes a certificate of the mobile terminal and the wireless access point;
  • the server verifies the certificate of the mobile terminal and the wireless access point, and verifies whether the certificate of the mobile terminal is a unified legal certificate issued for all mobile terminals in the network, and verifies whether the certificate of the wireless access point is a legal certificate (wireless connection)
  • the certificate of the entry cannot be the same as the certificate issued for the mobile terminal on the network).
  • the wireless access point determines whether the mobile terminal is allowed to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal;
  • the mobile terminal determines whether to access the wireless access point according to the certificate authentication result of the wireless access point by the server in the access authentication response, and if yes, proceeds to step 5), otherwise ends.
  • the mobile terminal and the wireless access point perform session key negotiation, and the wireless access point notifies the mobile terminal of the multicast key, as follows:
  • the wireless access point sends a unicast key negotiation request to the mobile terminal, where the mobile terminal receives the unicast key negotiation request, and sends a unicast key negotiation response to the wireless access point after receiving the unicast key negotiation request.
  • the data includes the record data of the session key; after receiving the unicast key negotiation response, the wireless access point sends a unicast key negotiation confirmation to the mobile terminal.
  • the wireless access point sends a multicast key advertisement to the mobile terminal, which includes a key for encrypting the multicast data, and the terminal sends a multicast key notification response to the wireless access point after receiving the call.
  • the wireless access point allows the mobile terminal to access
  • the access controller sends the account information of the mobile terminal to the server for authentication, and the access controller (AC, Access Controller) is a network device that provides access control for the user to access the network;
  • the server gives the mobile terminal authentication information according to the result of the account information authentication, and the mobile terminal exchanges information data with the network, that is, the mobile terminal can access the network.
  • step 7 the access controller accesses the account information of the mobile terminal according to the following steps:
  • the system automatically pops up a web page prompting the user to enter a user name and password.
  • the server verifies the identity of the user according to the user name and password, and controls the network access according to the authentication result.
  • the terminal can access the network.
  • Step 7) The account information of the access controller to the mobile terminal can also be authenticated as follows:
  • the mobile terminal uses the information in the subscriber identity module (ie, the SIM card) to perform identity authentication and session key negotiation with the wireless access point through the authentication server, and controls network access according to the authentication result.
  • the mobile terminal can access the network.
  • the split link level authentication and the user level identity authentication performed are two. Independent processes, link-level authentication is used to protect the security of wireless link access, user-level identity authentication is used for management services such as authorization and billing, so that the wireless LAN can be used as an extension of the original operating network, and the wireless local area network is enabled.
  • the operation management is consistent with the original operation network.
  • the invention can realize two-way identity authentication between the user and the network in the link level authentication process, and is compatible with the original authorization and accounting management systems, and supports related standards.
  • the invention adopts a certificate mechanism based on a public key cryptosystem in the link-level authentication process, and truly realizes two-way authentication between the mobile terminal MT and the wireless access point AP, which fully satisfies the requirements of the operator for secure access, so that The security of the wireless link is ensured.
  • the network further authenticates the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and controls access to the network and access to the network according to the result of the authentication.
  • the billing is performed to effectively protect the information of the subsequent user account authentication phase, so the security is high.
  • the wireless access point After the wireless access point is set up with a certificate, it is no longer necessary to set up the AAA server in the background. It is easy to install and network, and can be used for operations in large-scale hotspots. At the same time, users only need to install a certificate to cover the WLAN. Roaming in different areas, convenient for users.
  • the invention uses the same terminal certificate on the basis of ensuring secure access, so that operation and maintenance operations and processes are simplified, and the cost is greatly reduced.
  • the steps in the above embodiments can be implemented by instructing related hardware by a program, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a disk. , CD, etc. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

Un procédé de chargement d'authentification de réseau local sans fil (WLAN) basé sur WAPI comprend les étapes suivantes : un même certificat est émis à tous les terminaux mobiles, un certificat différent est émis à chaque point d'accès radio. Lorsqu'un terminal mobile accède à un réseau, le terminal mobile s'associe à un point d'accès radio, et établit une connexion de liaison. Le certificat du terminal mobile et le certificat du point d'accès radio associé au terminal mobile sont authentifiés. Lorsque l'authentification de certificat est réussie, le terminal mobile et le point d'accès radio négocient des clés de session, le point d'accès radio notifie des clés de multidiffusion au terminal mobile pour autoriser un accès au terminal mobile. Après que le terminal mobile a accédé au réseau, les informations de compte du terminal mobile sont authentifiées. Les informations d'authentification du terminal mobile sont obtenues selon le résultat de l'authentification des informations de compte, de telle sorte que le terminal mobile peut accéder au réseau. Selon la présente invention, la gestion d'exploitation du réseau local sans fil est en conformité avec le réseau d'exploitation initial, l'authentification d'identité bidirectionnelle entre l'utilisateur et le réseau peut être réalisée, le système de chargement de l'autorité initiale peut être compatible, et les standards apparentés sont supportés.
PCT/CN2007/071371 2006-12-29 2007-12-28 Procédé de chargement de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi) WO2008080352A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610105377.9 2006-12-29
CNB2006101053779A CN100512110C (zh) 2006-12-29 2006-12-29 采用一张终端证书实现基于wapi的wlan运营的方法

Publications (1)

Publication Number Publication Date
WO2008080352A1 true WO2008080352A1 (fr) 2008-07-10

Family

ID=38251796

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/071371 WO2008080352A1 (fr) 2006-12-29 2007-12-28 Procédé de chargement de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi)

Country Status (2)

Country Link
CN (1) CN100512110C (fr)
WO (1) WO2008080352A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100512110C (zh) * 2006-12-29 2009-07-08 中国移动通信集团设计院有限公司 采用一张终端证书实现基于wapi的wlan运营的方法
CN101483866B (zh) * 2009-02-11 2011-03-16 中兴通讯股份有限公司 Wapi终端证书的管理方法、装置及系统
CN102104857B (zh) * 2009-12-16 2013-10-02 华为技术有限公司 一种计费方法和通信系统
CN102571792A (zh) * 2012-01-06 2012-07-11 西安润基投资控股有限公司 智能移动无线终端访问云服务器的身份认证方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1399490A (zh) * 2002-08-15 2003-02-26 西安西电捷通无线网络通信有限公司 无线局域网移动终端的安全接入方法
CN1429005A (zh) * 2001-12-25 2003-07-09 深圳市中兴通讯股份有限公司上海第二研究所 一种宽带网络认证、授权和计费的方法
CN1564524A (zh) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 一种无线局域网中无线终端计费的方法
CN1996841A (zh) * 2006-12-29 2007-07-11 中国移动通信集团设计院有限公司 采用一张终端证书实现基于wapi的wlan运营的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1429005A (zh) * 2001-12-25 2003-07-09 深圳市中兴通讯股份有限公司上海第二研究所 一种宽带网络认证、授权和计费的方法
CN1399490A (zh) * 2002-08-15 2003-02-26 西安西电捷通无线网络通信有限公司 无线局域网移动终端的安全接入方法
CN1564524A (zh) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 一种无线局域网中无线终端计费的方法
CN1996841A (zh) * 2006-12-29 2007-07-11 中国移动通信集团设计院有限公司 采用一张终端证书实现基于wapi的wlan运营的方法

Also Published As

Publication number Publication date
CN100512110C (zh) 2009-07-08
CN1996841A (zh) 2007-07-11

Similar Documents

Publication Publication Date Title
WO2008080351A1 (fr) Procédé d'exploitation de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi)
JP5313200B2 (ja) 通信システムにおけるキー発生方法及び装置
JP4624785B2 (ja) 通信システムにおけるインターワーキング機能
US8094821B2 (en) Key generation in a communication system
JP4687788B2 (ja) 無線アクセスシステムおよび無線アクセス方法
EP1852999A1 (fr) Methode d'authentification d'acces adaptee aux reseaux avec et sans fils
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
WO2009065347A1 (fr) Procédé, système et appareil de communication de sécurité pour une station de base domestique
CN1859098A (zh) 在无线接入系统中实现eap认证中继的方法
WO2011015060A1 (fr) Procédé d'authentification de protocole d'authentification extensible, station de base et serveur d'authentification associés
WO2007131426A1 (fr) Système aaa et procédé d'authentification de réseau d'hôtes multiples
WO2010069202A1 (fr) Procédé de négociation d'authentification et système associé, passerelle de sécurité, noeud local b
WO2012151905A1 (fr) Procédé et dispositif de transfert de réseau
Yang et al. 3G and WLAN interworking security: Current status and key issues
WO2008080352A1 (fr) Procédé de chargement de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de wlan (wapi)
WO2008080353A1 (fr) Procédé d'exploitation de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de réseau wlan (wapi)
WO2010102496A1 (fr) Procédé pour implémenter une facturation à zéro interférence au niveau d'un terminal de système wapi
WO2012113225A1 (fr) Procédé, dispositif et système pour accéder en toute sécurité à un réseau wapi
WO2008148348A1 (fr) Procédé de communication, système et station de base domestique
KR101068426B1 (ko) 통신시스템을 위한 상호동작 기능

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07846197

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07846197

Country of ref document: EP

Kind code of ref document: A1